A malicious version of the Microsoft-associated Python package `durabletask` was published to PyPI as part of the ongoing Shai Hulud supply chain campaign. The compromised package contains a dropper that fetches a second-stage payload (`rope.pyz`) from an attacker-controlled domain. The malware bundles three capabilities: an infostealer (Linux-only) targeting cloud credentials and developer tooling, a worm for propagation, and a destructive disk wiper. Three versions have been yanked from PyPI; version 1.4.0 is the latest safe release. With ~103,000 weekly downloads, direct impact is assessed as limited, but the targeting of a Microsoft-associated package signals the campaign is broadening its scope. Developers should audit their dependency trees, compare installed versions against the Snyk advisory, and rotate any credentials exposed on affected Linux systems.
Table of contents
What happenedImpact assessmentDetection and remediationSecure your supply chain with SnykSort: